Headline
CVE-2023-42431: Security:Security Advisories/BSSA-2023-02 - BlueSpice Wiki
Cross-site Scripting (XSS) vulnerability in BlueSpiceAvatars extension of BlueSpice allows logged in user to inject arbitrary HTML into the profile image dialog on Special:Preferences. This only applies to the genuine user context.
Date
2023-10-30
Severity
Low
Affected
- BlueSpiceAvatars
Fixed in
- BlueSpiceAvatars 4.3.3
- BlueSpiceAvatars 3.2.10.1
CVE
CVE-2023-42431
Problem
When setting the avatar profile image, one can cause an XSS attack by inserting a modified URL in the dialog. The issue only occurs in the dialog itself and only in the context of the user that applied the change.
Solution
- BlueSpice 4: Update to version 4.3.3
- BlueSpice 3: Update Extension:BlueSpiceAvatars version 3.2.10.1
Acknowledgements
Special thanks to the security team of an undisclosed customer.